Heimdal
article featured image

Contents:

RedClouds is a recently uncovered cyberespionage and hacking campaign that uses RDStealer malware to steal data from drives shared over Remote Desktop connections. The threat actors behind this campaign, whose identities remain unknown, exhibit advanced skills reminiscent of government-sponsored APT groups.

According to the researchers, the hackers involved in this campaign have been active since 2020, leaving behind several traces of their activities. Initially, they relied on off-the-shelf tools, but in 2021, they transitioned to their own custom-built malware.

Custom Malware Exploiting RDP

The Remote Desktop Protocol (RDP), developed by Microsoft, facilitates remote connections to Windows computers, enabling seamless control and a virtual in-person experience. However, the primary objectives of this malware are stealing credentials and exfiltrating data.

The threat actors employ various malicious tools throughout their campaign, concealing them in the following locations:

  • c:\windows\system32\
  • c:\windows\system32\wbem\
  • c:\windows\security\database\
  • %PROGRAM_FILES%\f-secure\psb\diagnostics
  • %PROGRAM_FILES_x86%\dell\commandupdate\
  • %PROGRAM_FILES%\dell\md storage software\md configuration utility\

To make the malware appear legitimate, the attackers frequently choose two commonly used locations for genuine software:

  • %PROGRAM_FILES%
  • %PROGRAM_FILES_x86%

Additionally, the malware was discovered in the following folder where Windows stores its security files:

  • c:\windows\security\database\

By opting for this location, the threat actors aim to evade detection and mask their presence as legitimate.

To ensure persistence, the Logutil backdoor capitalizes on the Winmgmt service indirectly. The exploit leverages DLL Hijacking, facilitated by the presence of a malicious loader located at:

  • %SYSTEM32%\wbem\ncobjapi.dll

The campaign utilizes the “Microsoft WMI Provider Subsystem” DCOM, which is revealed through the behavior of Winmgmt and primarily found in c:\windows\system32\wbem\wmiprvsd.dll.

For the wmiprvsd.dll file to function, it requires the ncobjapi.dll file, which is mainly located in c:\windows\system32. However, due to the DLL search order, the %SYSTEM32%\wbem\ folder is checked first, enabling the loading of the malicious loader.

Attack Packages Used

According to Cyber Security News, the following packages are utilized in the attack:

  • cli: Implements clipboard content capture using Windows API functions such as OpenClipboard and GetClipboardData.
  • key: Implements keystroke capture along with window name tracking.
  • main: Acts as the orchestrator, setting up persistence and initiating data collection routines based on specific conditions.
  • modules: Implements various functions to collect and stage data for subsequent exfiltration.
  • utils: Implements encryption and decryption functions, file attribute manipulation, and logging.

Furthermore, researchers have discovered mentions of ESXi and Linux within Logutil’s command and control (C2) framework. This suggests that the malicious actors may be exploiting the versatility of the Go programming language to develop a backdoor capable of operating on multiple platforms.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Mihaela Popa

COMMUNICATIONS & PR OFFICER

Mihaela is a digital content creator for Heimdal® and the proud owner of an old soul and a curious mind. Passionate to learn and discover more about cybersecurity, she will gladly share her latest finds with you.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE